The dawn of the cyber posse

With military and law enforcement organisations proving unsuited to police the online economy, we've started to see the formation of posse-like arrangements, where citizens of the online world fight to keep their own environment safe. The trend seems unstoppable, but we need to guide it carefully if we want to keep our liberties.

With military and law enforcement organisations proving unsuited to police the online economy, we've started to see the formation of posse-like arrangements, where citizens of the online world fight to keep their own environment safe. The trend seems unstoppable, but we need to guide it carefully if we want to keep our liberties.

As we heard on this week's Patch Monday podcast, the language used to describe information security is fast becoming militarised. "Information assurance" has been replaced with "defensive cyber operations".

F-Secure chief research officer Mikko Hypponen showed us that US defence contractors are hiring hundreds of people with top-security clearances to develop offensive cyber munitions. Other nations are doing the same, with senior military figures now emphasising that their mission includes defending online commerce.

General Keith Alexander, commander of US Cyber Command (USCYBERCOM) and director of the National Security Agency (NSA), told a congressional hearing last month that "rampant cyber-theft" involved "the greatest transfer of wealth, in history".

An online Cold War looms, it seems. But we want it to stay cold, so the military aren't ideal enforcers of the online economy.

Yet, law enforcement agencies don't seem to be up to the job. In November 2011, for example, the chief executive officer of the Australian Crime Commission (ACC), John Lawlor, said that police will never be able to move as fast as the criminals, so it's up to businesses and individuals to harden up.

"I think it is absolutely essential for governments, for businesses, for the individual, to have the proper controls in place to prevent, or to harden the environment against, the cyber attack," Lawlor said.

The average local police force is unlikely to have even the most rudimentary skills needed to hunt online criminals.

The laws are also lagging far behind the technology that they are policing. In the absence of any proper laws, quasi-legal arrangements are being set up between commercial entities.

"When they send you that notice saying 'I've noticed that your machine is a bot', are they acting as a magistrate? What, precisely, are they doing when they send you that note?" Caelli asked, referring to the Internet Industry Association's iCode for dealing with infected computers, a model that's being adopted by South Africa and is being praised by the US.

The same question applies to the commercial agreement in the US, between the copyright industries and ISPs, to deal with repeat infringers. What is its legal status, really?

Caelli reckons we have a problem on our hands.

"As a matter of fact, [the ISPs are] offering a function which, in some ways, is reminiscent of a sheriff," he said. But unlike a sheriff, the ISPs have no clear legal authority. He thinks that one way to confer authority on these organisations, is to form a posse.

The word "posse" conjures images of the American western frontier, but, in fact, it dates back to the Middle Ages. Under common law, on which the laws of the US and Commonwealth countries are based, a county sheriff, or other law officer, can conscript any able-bodied males to assist in keeping the peace, or to pursue and arrest a felon — although, in the US. the Posse Comitatus Act of 1878 restricts the use of military forces as part of a posse.

Caelli argues that police could simply enlist any technically adept citizens and form a posse to round up the bot-herders.

Similarly, citizens could be conscripted into a militia, should the threat be more military in nature than criminal.

I think examples of the cyber posse are already here, although they've been formed via innovative use of the civil law, rather than criminal, and the driving force has come from the civilian side, not law enforcement.

For the last two years, Microsoft has led a series of operations to destroy botnets, resulting in a significant drop in global spam volumes, from Operation B49, which took down the Waledac botnet in 2010, to the recent take down of several botnets related to the Zeus anti-banking trojan.

The take downs had been possible because Richard Boscovich, senior attorney with Microsoft's Digital Crimes Unit, had pushed the limits of civil law. As he told ZDNet Australia in a Patch Monday podcast two years ago, it meant first proving that Microsoft's customers had been affected, and then direct action was taken without notification.

As good as this is, in more recent operations, botnet command and control centres have been taken out by "technical means". You don't need much imagination to see that that means conducting activities which, in other circumstances, might be considered cybercrime. Many would be concerned that a commercial business, Microsoft, was given the authority to disrupt someone else's computer systems.

Think about Australia's famous iiTrial, where it was revealed that investigators, hired by the Australian Federation Against Copyright Theft (AFACT), had joined BitTorrent in order to implicate others in illegal activities — but AFACT isn't a police force.

When the Federal Court of Australia, and then the High Court, dealt with this, it was a civil case — not a criminal case. A question, therefore, remains: What legal authority does a commercial organisation, like AFACT, have to collect evidence?

It seems to me that we're racing ahead of the legal frameworks. Perhaps we need to pause for a moment and establish proper legal authority for these activities, before we enable ordinary citizens to pursue cybercriminals in new ways. But once we have, the possibilities are endless.

We could go beyond deputising information security specialists into a cyberposse. How about setting up a standing militia, or a WWII-style Home Guard of retired or semi-retired information workers, logging in after lunch to analyse some log files and report the anomalies?

We could even "gamify" it. If 40 per cent of Amazon's Mechanical Turk tasks are related to spam, as some estimates put it, could we turn that around? Could we hand out merit badges for every online scam that people uncover?